Introducing Windows XP Embedded with

Service Pack 2
Summary

This document summarizes feature changes and additions for Microsoft® Windows® XP Embedded with

Service Pack 2.

Introduction

Microsoft® Windows® XP Embedded with Service Pack 2 (SP2) combines the benefits of Windows XP

Professional Service Pack 2 with enhancements that are targeted to embedded device development.

Windows XP Professional SP2 includes new security technologies that affect network protection, memory

protection, Web browsing, and e-mail handling. Windows XP Embedded with SP2 includes these important

security changes. Windows XP Embedded with SP2 also provides updates to Windows features such as

Microsoft® DirectX®, and to embedded supporting features such as the Minlogon single-user

environment.

This document describes the new and changed features of Windows XP Embedded with SP2 in terms of

their place in the device development process.

The following table provides a summary of key feature changes in Windows XP Professional that are

included in Windows XP Embedded with SP2. This table also describes Window XP Professional features

that are new for Windows XP Embedded with SP2.

Feature or area Description

Security Provides the same broad range of security changes to Windows XP

Embedded that Windows XP Professional SP2 includes.

Microsoft DirectX 9.0c Provides the resources you need to run applications that are compatible
with DirectX 9.0c on your embedded devices.

Microsoft® .NET Framework Provides the resources you need to run applications that are compliant
1.1 with .NET Framework 1.1 on your embedded devices.

Microsoft® Windows Media® Provides the resources you need to run applications for Windows Media
Player 9 Series Player 9 Series on your embedded devices.

Microsoft® Software Update Provides a complete solution for servicing embedded devices. You can now
Services (SUS) use SUS to manage the distribution of Windows updates to Windows XP
Embedded-based clients.

Microsoft® Systems Provides security patch management capabilities. Embedded developers

Management Server (SMS) can now use SMS to manage the deployment of security patches to
Windows XP Embedded-based devices.

Terminal Server Remote Updates the remote desktop capabilities of your embedded devices.
Desktop

Windows Firewall Increases the security of your embedded devices.

The following table provides a summary of changes to the embedded enabling features in Windows XP

Embedded with SP2.

Feature or area Description

Windows application Increase application compatibility between your run-time image and
compatibility macro applications in areas of multimedia, networking, shell, Windows core, and
components Windows Management Instrumentation (WMI).

Generic Device Driver Quickly add support for one or more device classes to your run-time image.
Support component

Enhanced Write Filter Reduce boot time for your EWF-protected run-time image by using a
(EWF) hibernation file.

Minlogon Implement a single-user logon environment that supports standby and

hibernation.

Windows XP Embedded Read the latest Help documentation for expanded information about security
documentation and servicing, as well as more how-to topics. Component Help is now
available for every component in the Windows Embedded Studio component
database and includes detailed information about dependencies, resources,
and interfaces.

Designing a Run-Time Image

Windows XP Embedded with SP2 helps makes it easier to design and configure your run-time image for

better security, device support, and for application compatibility. This section provides a summary of

feature changes in Windows XP Embedded with SP2.

For more information about using Windows XP Embedded to design a run-time image, see Design a Run-

Time Image in the Windows XP Embedded documentation.

Changes to Windows Features

Windows XP Embedded with SP2 includes updated components for the following Microsoft Windows

features and applications.

Microsoft DirectX 9.0c

Windows XP Embedded with SP2 provides support for Microsoft DirectX 9.0c. You can use the Microsoft

DirectX 9.0c component in the Windows Embedded Studio component database to run C, C++ and C#

applications that are compliant with DirectX 9.0c.

For information about dependencies and included files for the DirectX 9.0c component, see the Component

Help in Windows XP Embedded with SP2. For information about writing DirectX 9.0c applications, see the

DirectX 9.0 SDK Update on the MSDN Web site.

Microsoft .NET Framework 1.1

Windows XP Embedded with SP2 provides support for the Microsoft .NET Framework 1.1. The .NET

Framework 1.1 component that is included in the Windows Embedded Studio component database

supplies the common language runtime (CLR) and the .NET Framework class library. This version of the

.NET Framework delivers increased scalability and performance, and also includes:

• Native support for mobile Web applications

• Support for the execution of Windows Forms assemblies from the Internet

• Code access security for ASP.NET applications

• A unified programming model for smart client application development

• Support for IPv6

For information about dependencies and included files for the .NET Framework 1.1 component, see the

Component Help documentation in Windows XP Embedded with SP2. For more information about .NET

Framework 1.1, see the Microsoft .NET Framework Developer Center.

Microsoft Windows Media Player 9 Series

Windows XP Embedded with SP2 offers support for Microsoft Windows Media Player 9 Series. Windows

Media Player 9 Series introduces new features including fast streaming, auto playlists, crossfading, and

volume leveling.

For information about dependencies and included files for the Player, see the Component Help

documentation that is included in Windows XP Embedded with SP2. For more information about Windows

Media Player, see Windows Media Player 9 Series on the Microsoft Web site.

Terminal Server Remote Desktop

Windows XP Embedded with SP2 includes remote desktop support for embedded devices in the Terminal

Server Remote Desktop component. For information about dependencies and included files, see Terminal
Server Remote Desktop in the Component Help documentation that is provided in Windows XP Embedded

with SP2.

Windows Firewall

Windows Firewall is enabled by default. This On-by-Default setting provides increased network protection

for Windows XP Embedded-based run-time images that use the Windows Firewall components. On-by-

Default affects both IPv4 and IPv6 traffic, and protects network connections as they are opened on your

devices. The Windows Firewall feature is divided into two components that are located in the Windows

Embedded Studio component database. The following table describes these components.

Component Description

Windows Firewall/Internet Provides the Windows Firewall.

Connection Sharing

Windows Firewall Control Provides the Control Panel user interface that allows users to view and
Panel change Windows Firewall settings.

For more information about these components, see the Component Help documentation in Windows XP

Embedded with SP2.

For more information about using Windows Firewall in your run-time image, see Windows Firewall in the

Windows XP Embedded documentation.

For detailed information about the changes to Windows Firewall for Windows XP Professional SP2, see the

white paper entitled Changes to Functionality in Microsoft Windows XP Professional Service Pack 2 on the

Microsoft Web site.

Changes to Embedded Enabling Features

Windows XP Embedded with SP2 introduces new features that make it easier to build device driver support

and application compatibility into your run-time images. This release also includes changes to embedded

enabling features such as Minlogon and Enhanced Write Filter (EWF). These feature changes and additions

are supported by comprehensive changes to the Windows XP Embedded documentation.

Application Compatibility

Windows XP Embedded with SP2 supplies application compatibility macro components for multimedia,

networking, shell, Windows Management Instrumentation (WMI), and Windows core functionality.

Your run-time image must include certain components to be compatible with the applications that your

device will run. A typical strategy for achieving application compatibility begins with specifying the

applications that your device will run and determining their requirements. The next step is to locate the
components that satisfy those requirements and include them in your run-time image. This can be a

laborious process.

An easier way to achieve application compatibility between your run-time image and applications is to use

application compatibility macro components, as shown in the following table.

Macro component Description

Multimedia Application Packages most of the components that are used to provide Windows-based
Compatibility multimedia services. Includes components that support features such as
GDI, kernel streaming, DirectX, OpenGL, and Windows Media.

Networking Application Supports a broad range of Windows-based networking applications.

Compatibility

Shell Application Packages most of the user interface elements that are contained in the
Compatibility Windows Explorer shell. Includes components for all Control Panel items
and for all shell Explorer components.

Windows Management Packages the features that combine to create the Windows Management
Instrumentation Technologies Instrumentation (WMI) technologies.

Windows Application Packages the components of the Windows API, including the Advanced,
Compatibility GDI, and kernel-mode and user-mode components.

You can use these macro components during testing to find missing dependencies in your configuration

that are related to application compatibility.

Each of these components includes a broad range of applications and has a sizeable footprint. In Target

Designer, you can optionally exclude unnecessary components from each of these macro components to

reduce the size of your run-time image.

For more information about using the application compatibility macro components, see Using Macro

Components to Ensure Application Compatibility in the Windows XP Embedded documentation. For

detailed information about the dependencies of each application compatibility macro component, see the

Component Help documentation that is included in Windows XP Embedded with SP2.

For more information about Windows XP Embedded and application compatibility, see Application

Compatibility in the Windows XP Embedded documentation.

For more information about application development in Windows XP Embedded, see Application

Development on the MSDN Web site.

Device Driver Support

Windows XP Embedded with SP2 introduces the Generic Device Driver Support component. You can use

this component during the design phase to quickly add support to your run-time image for one or more

device classes, including the keyboard, printer, and modem device classes.
You can configure the Generic Device Driver Support component in Target Designer to include support for

selected device classes. The device drivers that belong to the device classes that you select are

automatically added to your run-time image during the build process. The appropriate class installers for

the device classes that you select are also automatically added to your run-time image.

Using the Generic Device Driver Support component can help to reduce development time. However,

adding support for entire device classes does impact footprint and build time. This component includes

other settings to manage these effects. For example, you can choose whether to include or exclude

component resources, such as registry information, from your run-time image. You can also choose

whether to process the device driver dependencies of the device classes that your run-time image

supports.

There are some limitations to the support that this component can provide. For example, third-party

device driver files must be manually added to a configuration that uses the Generic Device Driver Support

component. Additionally, some IEEE 1394 devices may have additional driver-related dependencies that

are not satisfied by this component. For more information, see the Component Help documentation for

Windows XP Embedded with SP2.

The following table shows the settings for the Generic Device Driver Support component.

Setting Default Description

setting

Device driver class Cleared Select one or more of the listed device classes.

Include registry entries and Cleared Causes registry data and other resources to be copied into
other resources for this the run-time image. This increases the size of the run-time
component image that is built and the time that it takes to build it.

If this option is not selected, registry data and other driver

resources are not added to the run-time image and Plug and

Play fills in the registry data later.

Process device driver Cleared Causes device driver dependencies to be processed.

dependencies Selecting this option increases the time that it takes to check
for dependencies.

When class installers are added to the run-time image, a list

of tasks is generated. These tasks do not require any action

and will be completed during the build process.

Enhanced Write Filter

Enhanced Write Filter (EWF) is an embedded enabling feature that provides disk write-protection

capabilities. In Windows XP Embedded with SP2, EWF supports hibernation in RAM and RAM Reg modes.

Hibernation makes it possible to save to and boot from a file (a hibernation file) that defines the state of a

system. Booting from a hibernation file reduces boot time and allows you to preserve system state

through multiple reboots.

For more information about using EWF with hibernation, see Hibernation and EWF in the Windows XP

Embedded documentation.

Minlogon

Minlogon is an embedded enabling feature that provides Windows logon support for a single-user

environment. In Windows XP Embedded with SP2, the Minlogon environment supports the hibernation and

standby power management features. Windows XP Embedded with SP2 supports these power

management features by including the power management application. This application contains a DLL

called Xpepm.dll that makes it possible to use standard power management features in configurations that

do not include the Windows user interface for the Start menu.

For information about how to support hibernation and standby in your run-time image, see Power

Management Application in the Windows XP Embedded documentation.

Documentation

Windows XP Embedded with SP2 provides documentation that integrates the latest information with

tutorials and how-to topics to make it easier to get the most out of Windows XP Embedded. The

documentation includes new information about embedded enabling features such as Device Update Agent

(DUA), First Boot Agent (FBA), and Enhanced Write Filter (EWF). It also includes new information about

security and servicing, as well as detailed information about using Windows Firewall.

The Component Help documentation now includes dependency lists for all components, as well as included

interfaces, files, and registry information. The table of contents for the Component Help documentation

has been reworked to mirror the organization of components in the Windows Embedded Studio component

database.

For more information about changes to the documentation for Windows XP Embedded with SP2, see

What's New in the Windows XP Embedded documentation. The Component Help documentation is

provided in Windows XP Embedded with SP2.

Building Security into a Run-Time Image

Windows XP Professional SP2 helps provide new security technologies and default settings that provide

increased security when compared with Windows XP Professional SP1. Windows XP Embedded with SP2

incorporates Windows XP Professional SP2 security changes and adds new support for run-time

management and servicing. This can help increase security for device development with Windows XP

Embedded with SP2. This section summarizes the security changes for Windows XP Embedded with SP2

and describes how they affect the device development process.

Windows Security Changes

Windows XP Professional SP2 provides broad security changes that affect the functional areas shown in

the following table.

Area Description of change

Network protection Provides increased protection against network-based attacks. Includes

enhancements to Windows Firewall and changes to Remote Procedure Call
(RPC) that reduce the Windows surface area that is exposed for attack.

Memory protection Increases protection against buffer overruns. Where possible, supplies
operating system support for hardware-enforced data execution prevention
(DEP).

E-mail handling Includes default settings that increase security and offers improved control
of e-mail attachments.

Browsing security Improves the security of the Local Machine zone to prevent malicious
scripts from running.

Provides increased protection against harmful Web downloads.

Provides improved user controls and user interfaces to help users be

informed about the execution of malicious ActiveX controls and spyware on

their devices.

Computer maintenance Provides support for Security Center, a central location for users to get
information about the security of their devices.

Provides Windows Installer to increase the security of the software

installation process.

For detailed information about security changes in Windows XP Professional SP2, see the white paper

entitled Changes to Functionality in Microsoft Windows XP Service Pack 2 on the Microsoft Web site.

Security Considerations

The process of building security protections into an embedded run-time image begins in the design phase

and continues into the servicing phase. Some fundamental considerations for building security protections

into a run-time image include:

• Reduce surface area to reduce exposure to attack.

• Use default settings that reduce exposure to attack.

• Add support for run-time management and servicing to make it easier to update devices and help

address security vulnerabilities.

The Windows security changes include some surface area reductions. You can further increase the security

of your run-time image by including only the components that your device requires. This will reduce the

surface area of your run-time image and its vulnerability to attack.

Reducing your exposure to attack also means eliminating unnecessary services from your run-time images

or setting services to be disabled. For information about the Windows Embedded Studio components that

supply Windows services, see Componentized Windows Services in the Windows XP Embedded

documentation.

The Windows security changes affect a wide range of Windows features and their default settings. If your

devices use applications that require certain default settings, you may have to resolve incompatibilities by

rewriting the code of those applications, or by changing the default settings of the affected features on

your run-time image.

One of the most important security changes in Windows XP Embedded is that Windows Firewall is enabled

by default. You can configure the firewall to open specific ports and to allow only certain applications to

communicate through ports. Windows Firewall is described in more depth earlier in this document. For

information about configuring Windows Firewall in your run-time image, see How to Configure Windows

Firewall on a Run-Time Image in the Windows XP Embedded documentation.

Windows XP Embedded with SP2 also includes a new registry key to improve Remote Procedure Call (RPC)

security. The RestrictRemoteClients registry key helps prevent remote access to RPC interfaces that

exist on a computer. For more information about Windows XP Embedded and RPC, see RPC Interface

Restriction in the Windows XP Embedded documentation.

Designing a servicing strategy into your run-time image helps increase the security of your device over its

lifetime. The following section provides information about new servicing support in Windows XP Embedded

with SP2.

For general information about how to increase device security, see Network Security Considerations in the

Windows XP Embedded documentation.

For information about network security components that you can add to your run-time image, see

Network Security Components in the Windows XP Embedded documentation. This page maps components

to the security binaries that they include.

For more information about building security into your run-time image, see Add Security Features to a

Run-Time Image in the Windows XP Embedded documentation.

Managing and Servicing a Run-Time Image

Windows XP Embedded with SP2 offers new support for embedded run-time management and servicing.

This section briefly describes these new management and servicing options. For more information about

servicing with Windows XP Embedded, see Servicing in the Windows XP Embedded documentation.

Servicing Run-Time Images with Microsoft Software Update Services

Windows XP Embedded with SP2 provides support for Microsoft Software Update Services (SUS). SUS

provides a complete servicing solution for managing the distribution of Windows updates to Windows

clients, including Windows XP Embedded. SUS makes it possible for updates to be automatically installed

on deployed devices, and for you to manage the update process remotely.

To use SUS as your servicing solution, you must set up and configure a SUS server on your intranet. The

configured SUS server component provides you with a Windows Update Server that polls the Microsoft

Windows Update Web site and downloads the available updates. SUS uses Internet Information Services

(IIS) and Background Intelligent Transfer Service (BITS) to download updates to clients.

After the SUS server is created, an administrator manages the update process. Administrative tasks

include configuring the Group Policy settings on deployed devices, and testing and approving Windows

updates for distribution to deployed devices.

The following table shows the client components that are provided by Windows XP Embedded with SP2 in

the Windows Embedded Studio component database.

Component Description

Windows Update Agent Obtains updates for clients from the Microsoft Windows Update Web site.
Provides the Windows Update Agent service called Automatic Updates.

Windows Update Agent for Provides the files that are required to use the Microsoft Windows Update
SUS Servers Web site.

Windows Update for Device Obtains drivers from Windows Update for Device Manager wizards.
Drivers
In addition to installing and configuring a SUS server, you must build support for SUS into your run-time

image. This support is provided by adding the Windows Update Agent component, and the Windows

Update Agent for SUS Servers component, to your configuration.

None of the client components include settings that are configurable in Target Designer. Instead, the client

components are configured by updating Group Policy after the run-time image is deployed. You can use

Microsoft Active Directory or Microsoft Management Console (MMC) to update Group Policy on a deployed

run-time image. You can also use Registry Editor to edit the registry directly.

For more information about the Windows Update Agent components, including component dependencies,

see the Component Help documentation in Windows XP Embedded with SP 2.

For detailed information about using SUS to service embedded run-time images, see the white paper

entitled Using SUS with Windows XP Embedded with Service Pack 2, on the MSDN Web site.

Servicing Run-Time Images with Microsoft Systems Management Server

Microsoft® Systems Management Server (SMS) is an enterprise-level management solution that provides

security patch management capabilities, client monitoring, and reporting for all Windows clients in a

domain. Embedded developers can now use SMS to manage the deployment of security patches to

Windows XP Embedded-based devices. Client and server components for SMS are not included in the

Windows Embedded Studio component database and must be separately obtained.

For more information about SMS, see the Microsoft Systems Management Server Web site.

The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication. Schedules and
features contained in this document are subject to change.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

©2005 Microsoft Corporation. All rights reserved.

Microsoft, Windows XP and Windows Embedded are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.